Hi Steffen, I don't see how a group of users should have a need for editing these 4 files. The daemon shouldn't be able to write its own config files (at least not those in /etc/boinc-client, these are not modifiable by any RPC config option of the daemon, afaik, and they contain security-related information such as alllowed remote hosts and passwd, as well as global prefs override).
As long as the "group of person" that handle boinc have the boinc passwd, they don't need to edit these files :) FWIW, I've built my own customised boinc-client package for deployment over a large number of computers with these perms, and it works just fine. People in charge of handling the boinc daemon can tune the preferences/projects through a Boinc Account Manager on the web, and no local user can mess with the boinc installation. So, I really think 640 is the right thing, but heh, you're the maintainter :) HTH T-Bone On 1/20/07, Steffen Moeller <[EMAIL PROTECTED]> wrote:
Hi Thibaut, you made a good point from how I see it. I could imagine a group of users that is assigned to the boinc group for editing the files. Should the permission then not rather be 660 ? Many greetings Steffen (who has collected 490 credits since you pointed him to boincsimap) On Saturday 20 January 2007 13:28, Thibaut VARENE wrote: > Package: boinc-client > Version: 5.4.11-4 > Severity: normal > > boinc-client default install sets the following modes on > /etc/boinc-client/gui_rpc_auth.cfg: > -rw-r--r-- 1 boinc boinc 8 Jan 14 01:01 gui_rpc_auth.cfg > > By default it doesn't contain any password, but if an admin adds one > without checking the permissions, this password will be available to any > user on the system (allowing them to control the boinc daemon, and > potentially detach/attach projects, etc). > > Also, given the owner of this file is user 'boinc', the boinc daemon > itself could overwrite the contents of this file. An attacker finding a > programing flaw in the software could take advantage of this as well. > > This also applies to a lesser extent to the other files in the > /etc/boinc-client directory. > > Thus, it seems to me that the files in the /etc/boinc-client directory > should be 640 root:boinc instead of 644 boinc:boinc > > HTH > > T-Bone > > -- System Information: > Debian Release: 4.0 > APT prefers testing > APT policy: (500, 'testing') > Architecture: powerpc (ppc) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.19-ck2 > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > > Versions of packages boinc-client depends on: > ii adduser 3.101 Add and remove users and > groups ii debconf 1.5.11 Debian configuration > management sy ii libc6 2.3.6.ds1-8 GNU C Library: > Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error > description library ii libcurl3 7.15.5-1 > Multi-protocol file transfer libra ii libgcc1 1:4.1.1-19 > GCC support library > ii libidn11 0.6.5-1 GNU libidn library, > implementation ii libkrb53 1.4.4-6 MIT Kerberos > runtime libraries ii libssl0. 0.9.8c-4 SSL shared > libraries > ii libstdc+ 4.1.1-19 The GNU Standard C++ Library > v3 ii lsb-base 3.1-22 Linux Standard Base 3.1 > init scrip ii python 2.4.4-2 An interactive > high-level object-o ii zlib1g 1:1.2.3-13 > compression library - runtime > > boinc-client recommends no packages. > > -- debconf information excluded -- Dr. Steffen Möller University of Lübeck Institute of Neuro- and Bioinformatics Ratzeburger Allee 160 23538 Lübeck Germany T: +49 451 500 5504 F: +49 451 500 5502 [EMAIL PROTECTED]
-- Thibaut VARENE http://www.parisc-linux.org/~varenet/
